Rob, Thanks for the email. It means that Volatility is not able to automatically identify a suitable address space. Do you have any information about the system the hiberfil was collected from (OS, Hardware Architecture, Size of Ram, etc).  We have a big patch coming in the next release that should expand the hiberfil support. Would you be able to share the sample? Thanks, AW On Fri, 9 Mar 2012, Dewhirst, Rob wrote:

Rob, No worries...This will most likely be covered in our upcoming patch. Would you be willing to send us a couple of formatting sections from the file?  This would allows us to easily confirm that your sample will be supported with the upcoming patch.  In the interim, you may try using MoonSol's tool to convert the sample to a raw dd format. Thanks, AW On Sat, 10 Mar 2012, Dewhirst, Rob wrote: > Sadly I can't share the sample.  This is from an x86 Windows 7 system. > I believe it had 4GB of RAM. > > On Sat, Mar 10, 2012 at 7:51 AM, AAron Walters <awalters(a)4tphi.net> wrote: >> >> >> Rob, >> >> Thanks for the email. It means that Volatility is not able to >> automatically >> identify a suitable address space. Do you have any information about the >> system the hiberfil was collected from (OS, Hardware Architecture, Size >> of >> Ram, etc).  We have a big patch coming in the next release that should >> expand the hiberfil support. Would you be able to share the sample? >> >> Thanks, >> >> AW >> >> >> >> On Fri, 9 Mar 2012, Dewhirst, Rob wrote: >> >>> Does this mean volatility can't identify the hiberfil? >>> >>> $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys >>> Volatile Systems Volatility Framework 2.1_alpha >>> No suitable address space mapping found >>> Tried to open image as: >>> WindowsHiberFileSpace32: No base Address Space >>> EWFAddressSpace: No base address space provided >>> WindowsCrashDumpSpace32: No base Address Space >>> AMD64PagedMemory: No base Address Space >>> JKIA32PagedMemory: No base Address Space >>> JKIA32PagedMemoryPae: No base Address Space >>> IA32PagedMemoryPae: Module disabled >>> IA32PagedMemory: Module disabled >>> WindowsHiberFileSpace32: No xpress signature found >>> EWFAddressSpace: EWF signature not present >>> WindowsCrashDumpSpace32: Header signature invalid >>> AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected >>> JKIA32PagedMemory: No valid DTB found >>> JKIA32PagedMemoryPae: No valid DTB found >>> IA32PagedMemoryPae: Module disabled >>> IA32PagedMemory: Module disabled >>> FileAddressSpace: Must be first Address Space >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>> >> > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Rob, Would you be able to send us the first 0x6 pages (0x0-0x7000) of the hibernation file? From that we should be able to verify if the upcoming patches will address your issues. Thanks, AW On Sun, 11 Mar 2012, Dewhirst, Rob wrote: > Let me know what sections you would like and I will see if I can extract > them. > > I can't justify the $655 for the Moonsols toolkit right now.  The > community edition won't convert windows 7 hibernation files. > > On Sat, Mar 10, 2012 at 8:16 AM, AAron Walters <awalters(a)4tphi.net> wrote: >> >> >> Rob, >> >> No worries...This will most likely be covered in our upcoming patch. >> Would >> you be willing to send us a couple of formatting sections from the file? >>  This would allows us to easily confirm that your sample will be >> supported >> with the upcoming patch.  In the interim, you may try using MoonSol's >> tool >> to convert the sample to a raw dd format. >> >> Thanks, >> >> AW >> >> >> On Sat, 10 Mar 2012, Dewhirst, Rob wrote: >> >>> Sadly I can't share the sample.  This is from an x86 Windows 7 system. >>> I believe it had 4GB of RAM. >>> >>> On Sat, Mar 10, 2012 at 7:51 AM, AAron Walters <awalters(a)4tphi.net> >>> wrote: >>>> >>>> >>>> >>>> Rob, >>>> >>>> Thanks for the email. It means that Volatility is not able to >>>> automatically >>>> identify a suitable address space. Do you have any information about >>>> the >>>> system the hiberfil was collected from (OS, Hardware Architecture, Size >>>> of >>>> Ram, etc).  We have a big patch coming in the next release that should >>>> expand the hiberfil support. Would you be able to share the sample? >>>> >>>> Thanks, >>>> >>>> AW >>>> >>>> >>>> >>>> On Fri, 9 Mar 2012, Dewhirst, Rob wrote: >>>> >>>>> Does this mean volatility can't identify the hiberfil? >>>>> >>>>> $ python ~/Volatility/vol.py hibinfo -f hiberfile.sys >>>>> Volatile Systems Volatility Framework 2.1_alpha >>>>> No suitable address space mapping found >>>>> Tried to open image as: >>>>> WindowsHiberFileSpace32: No base Address Space >>>>> EWFAddressSpace: No base address space provided >>>>> WindowsCrashDumpSpace32: No base Address Space >>>>> AMD64PagedMemory: No base Address Space >>>>> JKIA32PagedMemory: No base Address Space >>>>> JKIA32PagedMemoryPae: No base Address Space >>>>> IA32PagedMemoryPae: Module disabled >>>>> IA32PagedMemory: Module disabled >>>>> WindowsHiberFileSpace32: No xpress signature found >>>>> EWFAddressSpace: EWF signature not present >>>>> WindowsCrashDumpSpace32: Header signature invalid >>>>> AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected >>>>> JKIA32PagedMemory: No valid DTB found >>>>> JKIA32PagedMemoryPae: No valid DTB found >>>>> IA32PagedMemoryPae: Module disabled >>>>> IA32PagedMemory: Module disabled >>>>> FileAddressSpace: Must be first Address Space >>>>> _______________________________________________ >>>>> Vol-users mailing list >>>>> Vol-users(a)volatilityfoundation.org >>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users >>>>> >>>> >>> _______________________________________________ >>> Vol-users mailing list >>> Vol-users(a)volatilityfoundation.org >>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

Hi Rob, You can send that to AAron and me. All the best, -Jamie (gleeda) On Wed, Mar 14, 2012 at 7:21 PM, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote: -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92